Ask HN: Do you believe that your government has access to your Google history?

8 points by OskarS ↗ HN
I was thinking about this, and I'm not sure where I come down. In the post-Snowden world, most big sites (including Google) have gone HTTPS-only, with additional security features like certificate pinning. As far as I'm aware, nothing in the Snowden revelations suggested that that the NSA had been able to break SSL/TLS, so it would seem reasonable that it would be very difficult for them to snoop on you while you're googling.

Obviously, if you're a suspect in a criminal case, the government could get a court order for google to turn over your search history. But do you believe the the kind of widespread "dragnet" surveillance that was made known through the Snowden leaks is still going on? Or do you believe that the last few years of tightening up web security really made a difference when it comes to state sponsored snooping?

7 comments

[ 3.1 ms ] story [ 26.1 ms ] thread
Backdoors, dude, backdoors. Coupled with governments sharing data, officially and not.
As a US citizen, yes definitely. Anecdotal, but a former coworker of mine did something stupid that made him seem like a threat to national security. For a while after that, he would notice that every time he logged into Google on a computer, all sites he visited would have TLS downgraded to TLS 1.0.
> But do you believe the the kind of widespread "dragnet" surveillance that was made known through the Snowden leaks is still going on?

Snowden didn't stop it. And it's only getting worse. No matter how much TLS you have, governments still continue to fund efforts to backdoor everything that blinks and spy on everything that moves, and not only through technology, but also through coercion and politics.

Tightening security didn't really make any difference against state actors. But it was and still is a seemingly convincing excuse to centralize control over technology.

I do not belive data is massively harvested by man-in-the-middle of TLS as it would be a difficult challenge to reverse engineer all of the custom protocols that power the different services: each session comprises hundreds of requests of custom-schema json, xml, over HTTP, websocket and other protocols. Moreover these protocols change all the time since the same entity controls both servers and clients.

This does not preclude snooping on a specific TLS session or harvesting data at a different stage.

It is so easy for agencies to get a secret court order to collect data from Google directly. So they do not have to break TLS to Google's sites. With these secret orders in the name of "national security" anything is possible and you do not know and most likely will never know what is ordered.
If they want it, absolutely.

I don't know whether they are actively collecting everything I search for all the time when I am (I presume) not a "person of interest". I wouldn't be very surprised either way.

Also: Why stop at Google? Do you believe that your government has access to everything you read on HN? To everything you look at on Amazon? To everything you look at on Tor?